Unreviewed, relanding 266519@main

https://bugs.webkit.org/show_bug.cgi?id=259749 rdar://113292761 Relanding 266519@main with one fix, adding OpCallIgnoreResult to ArrayProfile list in Opcode.h * LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt: * Source/JavaScriptCore/bytecode/BytecodeList.rb: * Source/JavaScriptCore/bytecode/BytecodeOperandsForCheckpoint.h: (JSC::destinationFor): * Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp: (JSC::computeUsesForBytecodeIndexImpl): (JSC::computeDefsForBytecodeIndexImpl): * Source/JavaScriptCore/bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::callTypeFor): * Source/JavaScriptCore/bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * Source/JavaScriptCore/bytecode/Opcode.h: * Source/JavaScriptCore/bytecode/OpcodeInlines.h: (JSC::isOpcodeShape): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitCallInTailPosition): (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitCallVarargsInTailPosition): (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitNode): (JSC::BytecodeGenerator::emitNodeInTailPositionFromReturnNode): (JSC::BytecodeGenerator::emitNodeInTailPositionFromExprStatementNode): * Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp: (JSC::ExprStatementNode::emitBytecode): (JSC::ReturnNode::emitBytecode): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): (JSC::DFG::ByteCodeParser::handleCallVariant): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::parseBlock): * Source/JavaScriptCore/dfg/DFGGraph.cpp: (JSC::DFG::Graph::methodOfGettingAValueProfileFor): * Source/JavaScriptCore/dfg/DFGNodeType.h: * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::callerReturnPC): (JSC::DFG::reifyInlinedCallFrames): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileFunction): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/JavaScriptCore/ftl/FTLSlowPathCall.h: (JSC::FTL::callOperation): * Source/JavaScriptCore/jit/CallFrameShuffler.cpp: (JSC::CallFrameShuffler::prepareAny): * Source/JavaScriptCore/jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * Source/JavaScriptCore/jit/JIT.h: * Source/JavaScriptCore/jit/JITCall.cpp: (JSC::JIT::compileSetupFrame): (JSC::JIT::compileOpCall): (JSC::JIT::emit_op_call_ignore_result): (JSC::JIT::emitSlow_op_call_ignore_result): * Source/JavaScriptCore/llint/LLIntOpcode.h: * Source/JavaScriptCore/llint/LLIntThunks.cpp: (JSC::LLInt::returnLocationThunk): * Source/JavaScriptCore/llint/LowLevelInterpreter.asm: * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): * Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm: * Source/JavaScriptCore/llint/LowLevelInterpreter64.asm: * Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp: (JSC::FileBasedFuzzerAgent::getPredictionInternal): * Source/JavaScriptCore/runtime/Gate.h: * Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp: (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): Canonical link: https://commits.webkit.org/266537@main
WebKit · Aug 3, 2023 · 9074c1d · 9074c1d
1 parent ad82b55
commit 9074c1d
Show file tree

Hide file tree

Showing 32 changed files with 264 additions and 113 deletions.
diff --git a/LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt b/LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt
@@ -1,2 +1,3 @@
 CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
 PASS
diff --git a/Source/JavaScriptCore/bytecode/BytecodeList.rb b/Source/JavaScriptCore/bytecode/BytecodeList.rb
@@ -516,6 +516,17 @@
         profile: ValueProfile,
     }
 
+op :call_ignore_result,
+    args: {
+        callee: VirtualRegister,
+        argc: unsigned,
+        argv: unsigned,
+    },
+    metadata: {
+        callLinkInfo: BaselineCallLinkInfo,
+        arrayProfile: ArrayProfile,
+    }
+
 op :get_argument,
     args: {
         dst: VirtualRegister,
@@ -1375,58 +1386,8 @@
     macro_name_component: :CLOOP_BYTECODE_HELPER
 
 op :llint_entry
-op :llint_return_to_host
 op :llint_vm_entry_to_javascript
 op :llint_vm_entry_to_native
-op :llint_cloop_did_return_from_js_1
-op :llint_cloop_did_return_from_js_2
-op :llint_cloop_did_return_from_js_3
-op :llint_cloop_did_return_from_js_4
-op :llint_cloop_did_return_from_js_5
-op :llint_cloop_did_return_from_js_6
-op :llint_cloop_did_return_from_js_7
-op :llint_cloop_did_return_from_js_8
-op :llint_cloop_did_return_from_js_9
-op :llint_cloop_did_return_from_js_10
-op :llint_cloop_did_return_from_js_11
-op :llint_cloop_did_return_from_js_12
-op :llint_cloop_did_return_from_js_13
-op :llint_cloop_did_return_from_js_14
-op :llint_cloop_did_return_from_js_15
-op :llint_cloop_did_return_from_js_16
-op :llint_cloop_did_return_from_js_17
-op :llint_cloop_did_return_from_js_18
-op :llint_cloop_did_return_from_js_19
-op :llint_cloop_did_return_from_js_20
-op :llint_cloop_did_return_from_js_21
-op :llint_cloop_did_return_from_js_22
-op :llint_cloop_did_return_from_js_23
-op :llint_cloop_did_return_from_js_24
-op :llint_cloop_did_return_from_js_25
-op :llint_cloop_did_return_from_js_26
-op :llint_cloop_did_return_from_js_27
-op :llint_cloop_did_return_from_js_28
-op :llint_cloop_did_return_from_js_29
-op :llint_cloop_did_return_from_js_30
-op :llint_cloop_did_return_from_js_31
-op :llint_cloop_did_return_from_js_32
-op :llint_cloop_did_return_from_js_33
-op :llint_cloop_did_return_from_js_34
-op :llint_cloop_did_return_from_js_35
-op :llint_cloop_did_return_from_js_36
-op :llint_cloop_did_return_from_js_37
-op :llint_cloop_did_return_from_js_38
-op :llint_cloop_did_return_from_js_39
-op :llint_cloop_did_return_from_js_40
-op :llint_cloop_did_return_from_js_41
-op :llint_cloop_did_return_from_js_42
-op :llint_cloop_did_return_from_js_43
-op :llint_cloop_did_return_from_js_44
-op :llint_cloop_did_return_from_js_45
-op :llint_cloop_did_return_from_js_46
-op :llint_cloop_did_return_from_js_47
-op :llint_cloop_did_return_from_js_48
-op :llint_cloop_did_return_from_js_49
 
 end_section :CLoopHelpers
 
@@ -1461,6 +1422,7 @@
 op :llint_get_host_call_return_value
 op :llint_handle_uncaught_exception
 op :op_call_return_location
+op :op_call_ignore_result_return_location
 op :op_construct_return_location
 op :op_call_varargs_return_location
 op :op_construct_varargs_return_location
@@ -1476,6 +1438,7 @@
 op :wasm_function_prologue_simd
 
 op :op_call_slow_return_location
+op :op_call_ignore_result_slow_return_location
 op :op_construct_slow_return_location
 op :op_iterator_open_slow_return_location
 op :op_iterator_next_slow_return_location
@@ -1485,12 +1448,14 @@
 op :op_call_direct_eval_slow_return_location
 
 op :js_trampoline_op_call
+op :js_trampoline_op_call_ignore_result
 op :js_trampoline_op_construct
 op :js_trampoline_op_call_varargs
 op :js_trampoline_op_construct_varargs
 op :js_trampoline_op_iterator_next
 op :js_trampoline_op_iterator_open
 op :js_trampoline_op_call_slow
+op :js_trampoline_op_call_ignore_result_slow
 op :js_trampoline_op_tail_call_slow
 op :js_trampoline_op_construct_slow
 op :js_trampoline_op_call_varargs_slow
@@ -1512,6 +1477,69 @@
 
 end_section :NativeHelpers
 
+begin_section :CLoopReturnHelpers,
+    emit_in_h_file: true,
+    macro_name_component: :CLOOP_RETURN_HELPER
+
+op :llint_return_to_host
+op :llint_cloop_did_return_from_js_1
+op :llint_cloop_did_return_from_js_2
+op :llint_cloop_did_return_from_js_3
+op :llint_cloop_did_return_from_js_4
+op :llint_cloop_did_return_from_js_5
+op :llint_cloop_did_return_from_js_6
+op :llint_cloop_did_return_from_js_7
+op :llint_cloop_did_return_from_js_8
+op :llint_cloop_did_return_from_js_9
+op :llint_cloop_did_return_from_js_10
+op :llint_cloop_did_return_from_js_11
+op :llint_cloop_did_return_from_js_12
+op :llint_cloop_did_return_from_js_13
+op :llint_cloop_did_return_from_js_14
+op :llint_cloop_did_return_from_js_15
+op :llint_cloop_did_return_from_js_16
+op :llint_cloop_did_return_from_js_17
+op :llint_cloop_did_return_from_js_18
+op :llint_cloop_did_return_from_js_19
+op :llint_cloop_did_return_from_js_20
+op :llint_cloop_did_return_from_js_21
+op :llint_cloop_did_return_from_js_22
+op :llint_cloop_did_return_from_js_23
+op :llint_cloop_did_return_from_js_24
+op :llint_cloop_did_return_from_js_25
+op :llint_cloop_did_return_from_js_26
+op :llint_cloop_did_return_from_js_27
+op :llint_cloop_did_return_from_js_28
+op :llint_cloop_did_return_from_js_29
+op :llint_cloop_did_return_from_js_30
+op :llint_cloop_did_return_from_js_31
+op :llint_cloop_did_return_from_js_32
+op :llint_cloop_did_return_from_js_33
+op :llint_cloop_did_return_from_js_34
+op :llint_cloop_did_return_from_js_35
+op :llint_cloop_did_return_from_js_36
+op :llint_cloop_did_return_from_js_37
+op :llint_cloop_did_return_from_js_38
+op :llint_cloop_did_return_from_js_39
+op :llint_cloop_did_return_from_js_40
+op :llint_cloop_did_return_from_js_41
+op :llint_cloop_did_return_from_js_42
+op :llint_cloop_did_return_from_js_43
+op :llint_cloop_did_return_from_js_44
+op :llint_cloop_did_return_from_js_45
+op :llint_cloop_did_return_from_js_46
+op :llint_cloop_did_return_from_js_47
+op :llint_cloop_did_return_from_js_48
+op :llint_cloop_did_return_from_js_49
+op :llint_cloop_did_return_from_js_50
+op :llint_cloop_did_return_from_js_51
+op :llint_cloop_did_return_from_js_52
+op :llint_cloop_did_return_from_js_53
+op :llint_cloop_did_return_from_js_54
+op :llint_cloop_did_return_from_js_55
+
+end_section :CLoopReturnHelpers
+
 begin_section :Wasm,
     emit_in_h_file: true,
     emit_in_structs_file: true,

diff --git a/Source/JavaScriptCore/bytecode/BytecodeOperandsForCheckpoint.h b/Source/JavaScriptCore/bytecode/BytecodeOperandsForCheckpoint.h
@@ -111,6 +111,8 @@ Operand destinationFor(const Bytecode& bytecode, unsigned checkpointIndex, JITTy
         default: RELEASE_ASSERT_NOT_REACHED();
         }
         return { };
+    } else if constexpr (Bytecode::opcodeID == op_call_ignore_result) {
+        return { };
     } else
         return bytecode.m_dst;
 }

diff --git a/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp b/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp
@@ -336,6 +336,9 @@ void computeUsesForBytecodeIndexImpl(const JSInstruction* instruction, Checkpoin
     case op_tail_call:
         handleOpCallLike(instruction->as<OpTailCall>());
         return;
+    case op_call_ignore_result:
+        handleOpCallLike(instruction->as<OpCallIgnoreResult>());
+        return;
 
     default:
         RELEASE_ASSERT_NOT_REACHED();
@@ -411,6 +414,7 @@ void computeDefsForBytecodeIndexImpl(unsigned numVars, const JSInstruction* inst
     case op_profile_type:
     case op_profile_control_flow:
     case op_put_to_arguments:
+    case op_call_ignore_result:
     case op_set_function_name:
     case op_check_traps:
     case op_log_shadow_chicken_prologue:

diff --git a/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp b/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp
@@ -48,6 +48,7 @@ CallLinkInfo::CallType CallLinkInfo::callTypeFor(OpcodeID opcodeID)
         return TailCallVarargs;        
 
     case op_call:
+    case op_call_ignore_result:
     case op_call_direct_eval:
     case op_iterator_open:
     case op_iterator_next:

diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -524,6 +524,7 @@ bool CodeBlock::finishCreation(VM& vm, ScriptExecutable* ownerExecutable, Unlink
         LINK(OpTailCallVarargs, callLinkInfo)
         LINK(OpTailCallForwardArguments, callLinkInfo)
         LINK(OpConstructVarargs, callLinkInfo, profile)
+        LINK(OpCallIgnoreResult, callLinkInfo)
 
         case op_new_array_with_species: {
             INITIALIZE_METADATA(OpNewArrayWithSpecies)

diff --git a/Source/JavaScriptCore/bytecode/Opcode.h b/Source/JavaScriptCore/bytecode/Opcode.h
@@ -56,7 +56,7 @@ namespace JSC {
 
 
 #if ENABLE(C_LOOP)
-const int numOpcodeIDs = NUMBER_OF_BYTECODE_IDS + NUMBER_OF_CLOOP_BYTECODE_HELPER_IDS + NUMBER_OF_BYTECODE_HELPER_IDS;
+const int numOpcodeIDs = NUMBER_OF_BYTECODE_IDS + NUMBER_OF_CLOOP_BYTECODE_HELPER_IDS + NUMBER_OF_BYTECODE_HELPER_IDS + NUMBER_OF_CLOOP_RETURN_HELPER_IDS;
 #else
 const int numOpcodeIDs = NUMBER_OF_BYTECODE_IDS + NUMBER_OF_BYTECODE_HELPER_IDS;
 #endif
@@ -132,6 +132,7 @@ static constexpr unsigned bitWidthForMaxBytecodeStructLength = WTF::getMSBSetCon
     macro(OpTailCallVarargs) \
     macro(OpTailCallForwardArguments) \
     macro(OpConstructVarargs) \
+    macro(OpCallIgnoreResult) \
 
 #define FOR_EACH_OPCODE_WITH_SIMPLE_ARRAY_PROFILE(macro) \
     macro(OpGetByVal) \
@@ -145,6 +146,7 @@ static constexpr unsigned bitWidthForMaxBytecodeStructLength = WTF::getMSBSetCon
     macro(OpEnumeratorHasOwnProperty) \
     macro(OpNewArrayWithSpecies) \
     macro(OpCall) \
+    macro(OpCallIgnoreResult) \
     macro(OpTailCall) \
     macro(OpIteratorOpen) \
 

diff --git a/Source/JavaScriptCore/bytecode/OpcodeInlines.h b/Source/JavaScriptCore/bytecode/OpcodeInlines.h
@@ -46,6 +46,7 @@ inline bool isOpcodeShape(OpcodeID opcodeID)
             || opcodeID == op_tail_call
             || opcodeID == op_call_direct_eval
             || opcodeID == op_call_varargs
+            || opcodeID == op_call_ignore_result
             || opcodeID == op_tail_call_varargs
             || opcodeID == op_tail_call_forward_arguments
             || opcodeID == op_iterator_open

diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -337,6 +337,12 @@ ParserError BytecodeGenerator::generate(unsigned& size)
     RELEASE_ASSERT(m_codeBlock->numCalleeLocals() < static_cast<unsigned>(FirstConstantRegisterIndex));
     size = instructions().size();
     m_codeBlock->finalize(m_writer.finalize());
+
+    // We limit total bytecode sequence size to int32_t so that we can use int32_t jump offsets.
+    // Also, this allows us to use one bit of bytecode for some flag, including "ignore-result-flag".
+    if (size > static_cast<unsigned>(INT32_MAX))
+        return ParserError(ParserError::OutOfMemory);
+
     if (m_expressionTooDeep)
         return ParserError(ParserError::OutOfMemory);
     return ParserError(ParserError::ErrorNone);
@@ -353,7 +359,8 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, ProgramNode* programNode, UnlinkedP
     , m_expressionTooDeep(false)
     , m_isBuiltinFunction(false)
     , m_usesSloppyEval(false)
-    , m_inTailPosition(false)
+    , m_allowTailCallOptimization(false)
+    , m_allowCallIgnoreResultOptimization(false)
     , m_needsToUpdateArrowFunctionContext(programNode->usesArrowFunction() || programNode->usesEval())
     , m_ecmaMode(ECMAMode::fromBool(programNode->isStrictMode()))
 {
@@ -405,7 +412,10 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, FunctionNode* functionNode, Unlinke
     // https://bugs.webkit.org/show_bug.cgi?id=148819
     //
     // Note that we intentionally enable tail call for naked constructors since it does not have special code for "return".
-    , m_inTailPosition(Options::useTailCalls() && !isConstructor() && constructorKind() == ConstructorKind::None && functionNode->isStrictMode())
+    , m_allowTailCallOptimization(Options::useTailCalls() && !isConstructor() && constructorKind() == ConstructorKind::None && functionNode->isStrictMode())
+    // Currently, we're only conservatively allowing CallIgnoreResult optimization on tail call results that are
+    // not in return statements. We're not attempting to eliminate all unused call results.
+    , m_allowCallIgnoreResultOptimization(true)
     , m_needsToUpdateArrowFunctionContext(functionNode->usesArrowFunction() || functionNode->usesEval())
     , m_ecmaMode(ECMAMode::fromBool(functionNode->isStrictMode()))
     , m_derivedContextType(codeBlock->derivedContextType())
@@ -902,7 +912,8 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, EvalNode* evalNode, UnlinkedEvalCod
     , m_expressionTooDeep(false)
     , m_isBuiltinFunction(false)
     , m_usesSloppyEval(evalNode->usesEval() && !evalNode->isStrictMode())
-    , m_inTailPosition(false)
+    , m_allowTailCallOptimization(false)
+    , m_allowCallIgnoreResultOptimization(false)
     , m_needsToUpdateArrowFunctionContext(evalNode->usesArrowFunction() || evalNode->usesEval())
     , m_ecmaMode(ECMAMode::fromBool(evalNode->isStrictMode()))
     , m_derivedContextType(codeBlock->derivedContextType())
@@ -965,7 +976,8 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, ModuleProgramNode* moduleProgramNod
     , m_expressionTooDeep(false)
     , m_isBuiltinFunction(false)
     , m_usesSloppyEval(false)
-    , m_inTailPosition(false)
+    , m_allowTailCallOptimization(false)
+    , m_allowCallIgnoreResultOptimization(false)
     , m_needsToUpdateArrowFunctionContext(moduleProgramNode->usesArrowFunction() || moduleProgramNode->usesEval())
     , m_ecmaMode(ECMAMode::strict())
 {
@@ -3472,10 +3484,12 @@ RegisterID* BytecodeGenerator::emitCall(RegisterID* dst, RegisterID* func, Expec
 
 RegisterID* BytecodeGenerator::emitCallInTailPosition(RegisterID* dst, RegisterID* func, ExpectedFunction expectedFunction, CallArguments& callArguments, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd, DebuggableCall debuggableCall)
 {
-    if (m_inTailPosition) {
+    if (m_allowTailCallOptimization) {
         m_codeBlock->setHasTailCalls();
         return emitCall<OpTailCall>(dst, func, expectedFunction, callArguments, divot, divotStart, divotEnd, debuggableCall);
     }
+    if (m_allowCallIgnoreResultOptimization)
+        return emitCall<OpCallIgnoreResult>(dst, func, expectedFunction, callArguments, divot, divotStart, divotEnd, debuggableCall);
     return emitCall<OpCall>(dst, func, expectedFunction, callArguments, divot, divotStart, divotEnd, debuggableCall);
 }
 
@@ -3546,7 +3560,7 @@ template<typename CallOp>
 RegisterID* BytecodeGenerator::emitCall(RegisterID* dst, RegisterID* func, ExpectedFunction expectedFunction, CallArguments& callArguments, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd, DebuggableCall debuggableCall)
 {
     constexpr auto opcodeID = CallOp::opcodeID;
-    ASSERT(opcodeID == op_call || opcodeID == op_call_direct_eval || opcodeID == op_tail_call);
+    ASSERT(opcodeID == op_call || opcodeID == op_call_direct_eval || opcodeID == op_tail_call || opcodeID == op_call_ignore_result);
     ASSERT(func->refCount());
 
     // Generate code for arguments.
@@ -3596,7 +3610,11 @@ RegisterID* BytecodeGenerator::emitCall(RegisterID* dst, RegisterID* func, Expec
     ASSERT(dst != ignoredResult());
     if constexpr (opcodeID == op_call_direct_eval)
         CallOp::emit(this, dst, func, callArguments.argumentCountIncludingThis(), callArguments.stackOffset(), thisRegister(), scopeRegister(), ecmaMode());
-    else
+    else if constexpr (opcodeID == op_call_ignore_result) {
+        CallOp::emit(this, func, callArguments.argumentCountIncludingThis(), callArguments.stackOffset());
+        if (shouldEmitTypeProfilerHooks())
+            emitLoad(dst, jsUndefined());
+    } else
         CallOp::emit(this, dst, func, callArguments.argumentCountIncludingThis(), callArguments.stackOffset());
 
     if (expectedFunction != NoExpectedFunction)
@@ -3612,7 +3630,7 @@ RegisterID* BytecodeGenerator::emitCallVarargs(RegisterID* dst, RegisterID* func
 
 RegisterID* BytecodeGenerator::emitCallVarargsInTailPosition(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd, DebuggableCall debuggableCall)
 {
-    if (m_inTailPosition)
+    if (m_allowTailCallOptimization)
         return emitCallVarargs<OpTailCallVarargs>(dst, func, thisRegister, arguments, firstFreeRegister, firstVarArgOffset, divot, divotStart, divotEnd, debuggableCall);
     return emitCallVarargs<OpCallVarargs>(dst, func, thisRegister, arguments, firstFreeRegister, firstVarArgOffset, divot, divotStart, divotEnd, debuggableCall);
 }
@@ -3625,7 +3643,7 @@ RegisterID* BytecodeGenerator::emitConstructVarargs(RegisterID* dst, RegisterID*
 RegisterID* BytecodeGenerator::emitCallForwardArgumentsInTailPosition(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd, DebuggableCall debuggableCall)
 {
     // We must emit a tail call here because we did not allocate an arguments object thus we would otherwise have no way to correctly make this call.
-    ASSERT(m_inTailPosition || !Options::useTailCalls());
+    ASSERT(m_allowTailCallOptimization || !Options::useTailCalls());
     return emitCallVarargs<OpTailCallForwardArguments>(dst, func, thisRegister, nullptr, firstFreeRegister, firstVarArgOffset, divot, divotStart, divotEnd, debuggableCall);
 }